from the well,-duh dept

Look, we warned everyone about this. Right after Congress stupidly stripped privacy protections so that ISPs could more actively sell your data (and make it harder for you to realize it or do anything about it), there were a few crowdfunding campaigns that popped up on GoFundMe, claiming that they were raising money to then buy the web browsing data of Congress. We pointed out at the time that this was dumb and dangerous because you can't just go buy someone's web surfing data. That's not how any of this works. But, you know, it was one of those stories that people just really, really wanted to believe, so apparently unaware of it being flat out impossible (more people should read Techdirt...), tons and tons of people donated tons and tons of money, without realizing there was absolutely no way these campaigns could do what they they claimed. The more well-known campaign, by a self-declared "privacy activist" named Adam McElhaney, ended up raising over $200k (despite others claiming that it looked like a pure scam). The slightly lesser well-known one, by actor Misha Collins, took in just under $90k. Between them, they raised about $300k... with promises of obtaining data that anyone with any knowledge of the situation would know they couldn't obtain.

So, uh, take a wild guess what has happened? If you guess they didn't get any data with that money, well give yourself a prize, because that's exactly 100% what happened.

And... some of the folks snookered into handing over the cash for something that was pretty clearly bogus are... not happy. Many have been requesting refunds. McElhaney is now claiming that he was never planning to buy the data from ISPs, but rather get it by FOIA, though he's now admitting in a GoFundMe update that it's not working either:

When I started, I said I wanted to get the internet histories of those who voted for this law.

That has not changed.

What I didn't mention was *WHERE* I planned on getting the data. If I told you that I was going to come after your web habits, your search history, you might - as I imagine many of you did - change what you look up on your home computers. This is what I wanted our legislators to think - their home internet connections where being targeted. When in fact I was coming for their office server data. That data is subject to Freedom of Information Act requests and very obtainable.

Even if they didn't change their habits the data stored in their work proxy servers would still be a trove of information. Maybe even more telling than home.

The reason I am telling this to you now is, I think the cat is out-of-the-bag. After the first forty paper requests went out, a few days later I was contacted by a friend who happens to work in the offices of a senators. She said that word is getting around that "the GoFundMe guy that has raised all that money for privacy is trying to get our work internet history."

Now after about 80 paper requests have gone out, I have received responses back from three. They simply stated they do not have the data I requested. Oddly enough they were all requests for the same person, Marsha Blackburn. But, it makes sense. I am in Tennessee and three of her offices are in Tennessee so the mail would have gotten to her offices faster. After that I have received no other responses.

He then notes that anyone who wants a refund should request it and GoFundMe would return the money -- but for those who didn't request a return, he'd hand the money over to EFF. Hopefully that is true -- EFF obviously does great work. But, still, this whole episode is an unfortunate one. There remain very real issues around the privacy rules being killed and the way in which ISPs handle our private info. But going nuts and exaggerating the situation helped no one (well, perhaps EFF will benefit in the end... but still not the best way to handle this). Keeping things in perspective and accurate is important. Flying off the handle and assuming you can just go buy everyone's internet browsing history without actually understanding the legal change that was happening was dumb -- and it was dumb that many in the press helped make the story go viral without any explanation that it was bullshit. If you want to donate to organizations for doing good work, donate to them directly -- not through some sketchy scheme like these.

Reader Comments

I asked...

I asked an operator for the phone company Long ago about caller ID, AND IF the data sent could be read on MY SIDE..The reason was because so many COMPANIES dont want you to KNOW they are calling..and the data is erased of WHO IS CALLING..

"The operator said NO you cant.."

Later I found that THERE WAS A WAY to do this..

The truth..about interception and the internet..IT CAN BE DONE, but not by an OUTSIDER and without a COURT ORDER...How else do you think the FBI tracks down SPAMMERS??ANd if the Agencies REALLY wish to TAKE Privacy/security/... away..THEY WILL NOT LIKE IT..

Re: Re: Re: I asked...

In the past they could BLOCK the ID.. But, DATA had to be sent for it to be Blocked from SHOWING on Caller ID..

When you make a call on a normal consumer landline, you do not send any caller ID data. Your telephone company's switch will set your Calling Line Identification, either with your actual number or with an indication it's blocked, and forward it to the next switch (or encoded as Caller ID to the destination party if they're on the same switch). When a caller has their own switch (PBX), they send the Calling Line Identification--maybe with BLOCKED or a fake number--and the phone company forwards it along. You'll see the data they sent.

What you want is something other than caller ID. You want to know who's making the call, and the phone company does have that information for billing purposes. That's Automatic Number Identification (ANI), which isn't easily blocked but is never transmitted to normal phone lines. You can see that if you have a toll-free number (which is actually pretty cheap these days).

Cellphones have a more advanced Caller ID..which is weird.

Do they? Name display worked on landlines but not cellphones for years. What are landlines missing?

Re: I asked...

Caller ID is so horribly easy to do whatever you want with. There are sites on the internet you can pay to connect a call for you with whatever Caller ID you ask them to use.

If you have a eTrunk or Primary Rate ISDN, you can set it yourself on the switch.

Automatic Number Identification (ANI) is what you're talking about needing a court order for. Even that can be spoofed or useless (international call termination centers, for example. This is how you get a guy with the strong accent "calling from Microsoft about a virus your computer has")

Please use spammers or Spammers for bulk, unsolicited email, as SPAM(tm) is a tasty canned meat product and is a registered trade mark of Hormel(R), whose lawyers have most kindly asked folks to do. Note please they kindly asked, instead of going on a sue ball rampage.

Last, the FBI doesn't care about spammers. How do I know? I used to manage a large email system for an ISP and constantly tried to get spammers shut down and arrested. No observable outcomes. I would guess they aren't much more interested in shutting down junk callers.

Re: Re: I asked...

Automatic Number Identification (ANI) is what you're talking about needing a court order for.

According to Wikipedia "Toll-free subscribers and large companies normally have access to ANI, either instantly via installed equipment, or from a monthly billing statement. Residential subscribers can obtain access to ANI information through third party companies that charge for the service."

(The citation for that last sentence describes a service where you forward incoming calls to a toll-free number, and they'll get the ANI and send the call back to you with caller ID set based on that.)

Flying off the handle and assuming you can just go buy everyone's internet browsing history without understanding that selling data is not what these companies do...

They don't go to people and say, look, we have all this data do you want to buy it, because that would be dumb. They go to people and say, look, we have all this data, and we can use it to specifically target your product to the people most likely to use it (or whatever else someone wants to do with it).

As soon as they sell their data, that data becomes a commodity. After all, their data is just a collection of facts, and facts cannot be copyrighted. Whoever they sell it to can easily turn around and undercut them.

Re: As soon as they sell their data

Re: Re: As soon as they sell their data

They sell the use of the data, not the data itself.

Not because that would be illegal, just because they deem it less profitable.

Could we take advantage of it anyway? How about running ads targeted at certain types of users ("in congress" or as close as you can get) and certain types of content, and seeing how often they're shown?

Re: Re: just because they deem it less profitable

Instead, they sell the use of the data, which most users don't mind

Perhaps they don't mind because they don't know, or don't understand fully. It's a very opaque process that we have no visibility into. But there's plenty of evidence that people are uneasy when ads are targeted "too well".

The people who get the "use" of that data also get metadata about it, like number of ad views and clickthroughs. Metadata is not always so innocent, and can reveal thet data that people were trying not to give out. If I could target an ad specifically enough it could invade someone's privacy—e.g., I target "people browsing Techdirt" with interests in (several of your interests) with your geolocation, age, and sex. And then I see a zero or nonzero view count and know whether you were browsing Techdirt.

That assumes a certain level of ad targeting. I have no idea whether it's possible because, as noted above, normal people have no visibility into this world.

Re: Re: just because they deem it less profitable

if they did that, the users would instantly disappear.

That's bullshit. Millions of Americans hate their cable companies and ISPs with a passion and still pay them every month. If the monopoly ISP outright sells the data, people aren't going to cancel en-masse and go without internet. That's why they wanted these privacy rules in the first place.

That is how capitalism is supposed to work

Yes, but capitalism rarely works properly when a monopoly is involved.

Re: Re: Re: Re: As soon as they sell their data

Also because it would be illegal. Seriously, it would violate multiple laws as we described in another post.

Which post? I don't see any mention of it in the one you linked from the article: "No, You Can't Buy Congress's Internet Data, Or Anyone Else's"—and none of posts I "may also be interested in" look related.

Re: Re: Re: Re: Re: Re: As soon as they sell their data

Umm, no. The laws you referred to in that article are for telephone. In the industry that information is called CPNI and, yes, it is protected. However, telephone and internet service are not the same under the law.

Re: Re: Re: Re: Re: Re: Re: As soon as they sell their data

Umm, no. The laws you referred to in that article are for telephone. In the industry that information is called CPNI and, yes, it is protected. However, telephone and internet service are not the same under the law.

I don't know how to break this to you more politely, but you are 100% absolutely, totally and completely wrong. The whole point behind classifying broadband access providers under Title II, as the FCC did in 2015, is that they are now classified as telecom carriers -- meaning that Section 222 absolutely 100% positively applies to them for this kind of information. Everyone admits this. The broadband providers admit this. The FCC admits this. Only you seem to think it's something different. Telephone and internet services are currently very much the same under the law -- that's what Title II is.

The other law cited, the wiretap act, does not just apply to telephone services, so your point makes no sense there.

So, no, you're wrong.

It's possible should the FCC reclassify broadband again (not at all easy) that 222 will no longer apply. That's what should be watched for carefully.

Re: Re: Re: Re: Re: Re: Re: Re: As soon as they sell their data

I don't know how to break this to you more politely, but you are 100% absolutely, totally and completely wrong.

I would say the same thing to you. But believe what you want. While I'm not a lawyer (and don't believe that you are either, are you?), I do work in the industry and depend on what our real lawyers that specialize in this field tell us.

Only you seem to think it's something different.

Me, our lawyers and whole lot of others in the industry.

Consider this (as just one example of many): If what you believe was true, then the same telecom regulations that keep telcos from mining your telephone calls for advertising purposes would also keep internet providers from doing the same with your internet usage. Please, please don't tell me you've never heard of that.

Re: Re: Re: Re: Re: Re: Re: Re: Re: As soon as they sell their data

I would say the same thing to you. But believe what you want. While I'm not a lawyer (and don't believe that you are either, are you?), I do work in the industry and depend on what our real lawyers that specialize in this field tell us.

Which company do you work for then? Because the industry and the FCC have made it clear that Section 222 absolutely, positively does apply to them.

“That’s correct, carriers would still have their obligations under Section 222 in addition to other federal and state privacy data security and breach notification requirements,” Pai responded at a Senate Commerce Committee oversight hearing."

"For example, AT&T and other ISPs’ actions continue to be governed by Section 222 of the Communications Act just as they were for the nearly two years that passed between reclassification of internet access as a Title II service and the passage of new rules last fall."

Other companies have made similar statements. I have not seen a single broadband company argue that it is not bound by Section 222 since reclassification, because it's simply not true.

So you're absolutely, 100% wrong. The FCC, including it's current boss, and the biggest broadband providers in the industry all agree that Section 222 applies and protects this info.

So either you're lying or you don't actually know what you're talking about.

Which company do you work for then?
A major ISP. One which would fire me in an instant if I outed myself, considering that I am often critical of the industry. Sorry, you're not getting that.

So either you're lying or you don't actually know what you're talking about.

I am not a lawyer and have said so. I have revealed what our lawyers have told us. If you are saying that I am lying about that, then I would like to know how you know the details of those meetings. If, however, you are calling me a liar with no knowledge of those meetings, then I would say that, you sir, are the liar.

I will note that you completely ignore the links to both AT&T and Pai himself saying publicly that Section 222 applies.

At this point, it's difficult to take you seriously. I point to evidence. You claim there are secret meetings where the lawyers who work for your company state things exactly the opposite of what they state publicly.

Even if you're right, it doesn't matter, because the fact that everyone has already admitted this publicly means that if the matter were to go to court, the claims in your secret meetings are worthless compared to the PUBLIC STATEMENTS of your (supposed) employer.

I'm honestly beginning to believe that you don't actually work for an ISP. Either way, I've now sent PR requests to all major ISPs to see if they admit, as they have publicly, that Section 222 applies to them, as is clearly stated in the rules, and admitted already by most of them and Chairman Pai.

While Google has issued updates that claim they only release the stuff the folks signing up say they can, does anyone think that Google doesn't have the ability to store and sell complete browsing histories?